Appl. No. 10/623,631 
Amdt Dated May 13, 2004 

Reply to Office action of March 25,2004, "Notice to File Missing Parts of Nonprovisional Application" 

Amendments to the Specification: 

Please replace the original submission with the entirety of the 
following submission. It differs only in that it is resubmitted in a 
larger type-face with double line-spacing, except as follows: 

The section previously titled "Summary of Invention" is 
resubmitted additionally, with some expansion for clarity, with 
this amendment as "Abstract" commencing on a separate sheet, 
in compliance with 37 CFR 1.72(b), as required by the Office 
action of 03/25/2004. 

A misspelling of the word "networked" is corrected in the first 
paragraph appearing in this amendment on page 6. 

We added one phrase to the large paragraph appearing in this 
amendment beginning on page 8. Please replace it with the 
following amended paragraph: 
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In networked systems, one of the more feared attacks is one 
where the attacker penetrates and assumes enough control to 
alter the contents of non-volatile storage, for example, replacing 
password files on a harddrive. Such a "root compromise" can turn 
a computer into the cybernetic equivalent of a ticking time bomb, 
and in fact the computer may be usurped and turned into a 
launching point for a variety of attacks against other networked 
machines. At the very least, all security may be disabled without 
the knowledge of the legitimate user, turning their machine into 
an attacker's window into the inner workings of the 
organization's methods and techniques. Ordinarily networked 
computers are part of a large and complex system which has a 
variety of means to trace the source of such attacks, such as 
"dial-up pen-registers"; however, wireless mobile networks have 
no such reliable log-and-trace mechanism, and could very easily 
come under attacks through their wireless connections and 
should be highly hardened against potential penetration to, and 
alteration of, their non-volatile storage systems. The present 
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commercially-available wireless encryption systems, which are 
the first line of defense against such attacks, are known to be 
very weak and easily compromised. 

Please replace the paragraph appearing as the final paragraph 
beginning on page 15 of this amendment with the following, 
which strikes reference to an improperly submitted CD-ROM: 

Modify initialization scripts in the directory /mnt/proto/etc/rc.d to 
conform to those appended in the CDROM labelled "Appendix 
CDROM - A" . These scripts will run at boot time to create 
filesystems in ramdisk and load those filesystems with the 
appropriate files as bootstrap progresses. This completes the 
basic creation and configuration. 
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Inventor: 

Thomas James Hardman Jr 

13921 Parkland Drive 

Rockville MD 20853 

tele: (301) 871 6216 

e-mail: thardman@earthops.net 

TITLE OF INVENTION 

"Secure Mobile Office Wireless Local-Area Network Application 
Integration Package Running from CD-ROM" 

BACKGROUND OF THE INVENTION 
The Invention is in the field of InterNetworked Computer 
Systems. It is designed to provide enhanced security in general, 
and specifically to provide for rapid deployment of Secure Mobile 
Offices with full InterNet server and laptop- workstation 
capabilities, operating in and supporting a Secure Wireless 
Local-Area Network ("LAN") as well as supporting general 
InterNet operations and Virtual Local-Area Network ("VLAN") 
operations. 
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BACKGROUND OF PROBLEM 

Security is increasingly a concern on the global InterNet. A wide 
variety of attacks have been launched against many online sites, 
including invasions of networked computers which are 
responsible for monitoring and control of critical economic and 
physical infrastructure, including computers which control 
elements of the electrical power distribution system, and 
computers which control dams. Fears of terrorist exploitation of 
such weak systems are reasonable fears, and a variety of methods 
have been proposed to increase the security of these networked 
machines. 

Also, rapid data communications between members of 
organizations, and between organizations, is increasingly vital, 
and in no case is it more vital than in a situation of emergency 
response. These communications must be secure, as a variety of 
bad outcomes may emerge if communications can be intercepted, 
with or without modification and retransmission. 

Situations will probably occur which will require rapid 
deployment of non-military response teams to sites of chemical, 
biological, or radiological attacks, or similarly catastrophic 
events. Possession of secure data networking technology may be 
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essential to responders to such events. Disruptions in supply 
lines, procurement systems, or the disruptive nature of 
emergency situations might make it difficult to get the necessary 
computing resources into the field, and lack of standardization 
may further complicate matters, particularly if there are 
incompatibilities between operating systems. There is a clear 
need for a standardized Secure Mobile Office Network 
Application Package. Furthermore, such Secure Mobile Offices 
must be lightweight, consume little power, be extremely portable 
at a moment's notice, and should be networked mostly wirelessly 
as an aid to rapid deployment and ease of relocation and 
reconfiguration in the field. Further, such Secure Mobile Offices 
must enable logins to remote computers, in the case where 
insufficient local capacity exists to perform specific operations 
better done from the headquarters. Such logins to remote 
computers must be exceptionally secure so as to not enable 
attackers to imitate such logins and gain access to the 
headquarters computer. 

Secure Mobile Offices might, if deployed into a precipitated 
catastrophe such as the recent destruction of the World Trade 
Center on 2001 September 11, come under direct attack through 
their networking systems. Thus, their network "hardening" is of 
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high importance. Further, multiple layers of hardening should be 
applied, so that if any one layer is penetrated another will be 
encountered. 

In networked systems, one of the more feared attacks is one 
where the attacker penetrates and assumes enough control to 
alter the contents of non-volatile storage, for example, replacing 
password files on a harddrive. Such a "root compromise" can turn 
a computer into the cybernetic equivalent of a ticking time bomb, 
and in fact the computer may be usurped and turned into a 
launching point for a variety of attacks against other networked 
machines. At the very least, all security may be disabled without 
the knowledge of the legitimate user, turning their machine into 
an attacker's window into the inner workings of the 
organization's methods and techniques. Ordinarily networked 
computers are part of a large and complex system which has a 
variety of means to trace the source of such attacks, such as 
"dial-up pen-registers"; however, wireless mobile networks have 
no such reliable log-and-trace mechanism, and could very easily 
come under attacks through their wireless connections and 
should be highly hardened against potential penetration to, and 
alteration of, their non-volatile storage systems. The present 
commercially-available wireless encryption systems, which are 
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the first line of defense against such attacks, are known to be 
very weak and easily compromised. 
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DETAILED DESCRIPTION OF THE INVENTION 
Our invention is a Secure Mobile Office Applications Integration 
Package which runs entirely from CD-ROM on computers which 
do not have the capability to write to the CD-ROM. This package 
integrates two separate layers of encryption and authentication 
suitable to both wireless and hard-wired TCP/IP (IPv4 and IPv6) 
networked data communications. This Package is intended to be 
used in "ensemble operations" where there are at least two 
computers running with the Package: one of which serves as a 
Kerberos authentication server, as well as a firewall and 
firewall-traversal proxy (SOCKS5) which both permits 
authorized wireless networked computers to access the global 
InterNet, and which disallows unauthorized networked 
computers on either side of it to access the other side of the 
firewall; and, one or more "client" machines, laptops equipped 
with wireless communications cards. 

We chose the Linux operating system as it is very robust, and 
used the Slackware version 7 distribution with a version 2.4.17 
kernel rebuilt to incorporate the "FreeSWAN" IPSEC IP-security 
system for authentication and encryption. Alternatives such as 
the MicroSoft Windows (tm) operating system were rejected as 
being too expensive and vulnerable to attack. We also rejected 
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approaches using any variant of "SSH" or "OpenSSH" ("secure 
shell") for our host-to-host remote login application; instead we 
used the MIT "Kerberos" system for authentication and 
encryption of remote logins and remote application activation. 
We used the "PCMCIA-CS" software which enables the Linux 
kernel to operate PCMCIA ("PC Card") devices, including the 
popular Hermes "Prism-I" chipset IEEE 802. lib-standard 
wireless communication cards. We wrote scripts to allow 
operation entirely from CD. 
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OPERATION 

When the kernel is booted and starts the "init" process which 
controls startup and runlevel, it calls several scripts. Our special 
script; 

- initializes portions of random-access internal memory into 
"ramdisks", and creates filesystems there. These are the only 
read-write elements of this operating system 

- copies, from the CD, into ramdisk, those directories and files 
from the Linux system which must be read- write for the 
operating system to function 

- creates, in ramdisk, a "swap space", or virtual memory area, to 
permit operations exceeding the non-reserved random-access 
memory of the computer 

- loads into memory and executes such kernel modules, code 
libraries or applications as are necessary for standard operation 

- initializes and starts the wireless communications card (and if 
so equipped, an ethernet PCMCIA network interface card) 
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- establishes wireless communications with its wireless-access 
point and its SOCKS5 firewall traversing proxy, and negotiates 
and authenticates to establish IPSEC triple-DES-encrypted 
TCP/IP data communications (client machines); or, alternatively, 
establishes IPSEC communications with authorized hosts such as 
headquarters computers, and starts to proxy between the 
wireless mobile network and the hardwired global InterNet 
(firewall mode), and also starts up the Kerberos authentication 
server. 

- establishes virtual private networks between headquarters and 
the proxy servers, including NFS (UNIX network file-system) 
mounts of remote mass-storage, between client machines, and 
any IPSEC-capable computers which must be accessed. 

- excludes all TCP/IP communications with devices not 
specifically authorized to participate in this Secure Mobile Office 
Wireless Local-Area Network, other than those communications 
required to carry the virtual-private-network encrypted TCP/IP 
packets. 
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DETAILED DESCRIPTION OF THE INVENTION 

This system is based on "Slackware Linux 7.1", Linux kernel 
version 2.4.17, and "FreeS/WAN-1.95", and MIT Kerberos 5- 
1.2.2., and "PCMCIA-CS-3.1.31". All are freely available from 
the InterNet. The system also makes use of the SOCKS5 
Advanced Programming Interface ("API") specification and a 
variety of vendors sell products which make use of this API to act 
as "proxies". 

To create the basis of the system, install the full distribution 
(with the exception of "X-Windows and X-Windows applications) 
of Slackware Linux 7.1 in the recommended manner on a 
secondary harddrive on an Intel-x86 platform machine running 
any recent version of Linux, and boot to the new Linux 
installation. Unpack the FreeS/WAN package in the 
recommended manner. Unpack, build, and install MIT Kerberos 
5 binaries and libraries in the recommended manner. Install 
your SOCKS5 proxy in the recommended manner. 

Unpack and configure the linux-2.4.17 kernel package. Configure 
to build for the intended hardware platform, with maximum 
modularity to assure that a kernel is built which is small enough 
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to be capable of stand-alone boot from a 1.44 megabyte floppy. 
Configure to build to include all standard networking features 
such as TCP/IP, and PPP. Configure to support "RAMDISK", 
with 8 ramdisks of 16384 Kbytes in size. Many other kernel 
configuration options exist but are not generally relevant to this 
particular Specification. Complete configuration and build and 
install the kernel and kernel modules. Reboot to the new kernel 
to test operability. If the kernel works, build and install the 
FreeS/WAN IPSEC package which will rebuild the kernel and 
install the rebuilt kernel. Reboot to the new kernel to test the 
kernel, and make a "boot floppy" from this new IPSEC-capable 
kernel. Unpack, configure, build and install the "PCMCIA-CS" 
package in a manner appropriate to the intended destination 
machine and relevant kernel configuration options. 

Shutdown in an orderly fashion and reboot to the primary 
harddrive. Mount the secondary hardrive to the primary 
filesystem in some convenient place. For example we will specify 
the directory "/mnt/proto" . 

Modify initialization scripts in the directory /mnt/proto/etc/rc.d . 
These scripts will run at boot time to create filesystems in 
ramdisk and load those filesystems with the appropriate files as 
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bootstrap progresses. This completes the basic creation and 
configuration. 

At this point, one could create an "ISO-9660 image" and burn it 
to CDROM, and one could use the "boot floppy" to boot the 
CDROM in any Intel-x86 platform PC with 128 megabytes of 
RAM, but multiple copies of such a CDROM would be duplicates 
of each other and would interfere with each other if operated 
simultaneously on the same non-world-routable subnets, or on 
the world-routable InterNet. 
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In production for clients, we will copy the entire contents of 
/mnt/proto to another directory, for example "/mnt/installer". A 
variety of scripts will take care of such tasks as generating a 
series of IP addresses, hostnames, Kerberos keytabs and 
configuration files, IPSEC configuration files, SOCKS5 
configuration files, etc., as necessary to provide each individual 
CDROM with a unique network identity, "personalization", and 
encryption key. As each instance of the package in /mnt/installer 
is provided with a unique identity and encryption keys, it will 
then be converted to "ISO-9660 image" and burned to CDROM. 
The final result will be a number of CDROMs, each of which will 
boot with a unique network address and network identity, and 
with all other "individualization configuration" issues resolved. 
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Once a series of these CDROMs has been generated, they can be 
inserted into any laptops or workstations based on the Intel-ix86 
platform which are equipped with 128 megabytes of RAM and a 
CDROM drive, and IEEE-802.11b Wireless-LAN PCMCIA cards 
Which are supported by the "PCMCIA-CS" software package. 
When the boostrap procedure is finished, if an IEEE-802.11b 
"Wireless Access Point" is available, these laptops will be full- 
featured "InterNet Hosts" in a network exchanging data with at 
least one layer of triple-DES encryption at all times, ready for 
users to log in and begin their work. 
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